Presentation is loading. Please wait.

Presentation is loading. Please wait.

Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for."— Presentation transcript:

1 Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for Web service consumption and/or production using NetBeans 7.0NetBeans 7.0 Pre-Test2 (with past test questions!), Prototype Demo, and Final Milestone specs are posted! Which teams to go first? 2 options Any volunteers for the first meeting day during the final presentation week? We need at least three! (notify me the day before) Consolidate project presentations into 1 marathon day (on the 2nd meeting day) (Work on your project on the 1st meeting day) Check website/email on the day before

2 Misc. Announcements Project presentations to be held in OU 129 IT GlassFish and Derby Make sure that you load up everything you need on the IT GlassFish and Derby servers (not localhost) and be ready to present by simply typing the URL when you’re at the lead station. You’re not to load anything on the lead station! Project presentation orders (alphabetical): TBA Send me an email indicating your preference (go 1 st, go last, etc.) if you have any.

3 If we had another x # of weeks in this class …

4 I’d probably cover the following topics in greater details Security SQL injection & XSS (Cross Site Scripting) HTTPS Various server-supported authentications, etc. More Web services REST SOAP, WSDL, UDDI More XML XML Parsing DOM SAX XSLT (extensible stylesheet language transformation) DTD/XML Schema

5 Topics (cont’d) Mobile Development Android, iOS M-Commerce (Mobile-Commerce) Deploying WAR to server More Architectural Issues Scalability Reliability Portal Development etc.

6 SQL Injection “SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.” [Wikipedia …]code injectionsecurity vulnerabilitydatabaseapplicationstring literalescape charactersSQLstrongly typed “A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization's host computers through the computer that is hosting the database.” [UCLA..]

7 SQL Injection Consider the following code segment for LoginServlet: String queryStr = "Select count(*) from IdPassword where Id = ‘ " + userName + " ‘ and Password = ‘ " + password + " ‘ "; rs = stmt.executeQuery(queryStr); // if login info is invalid, rs will have a row and the count will be 0. // Else, login is good. rs.next(); // get the count if (rs.getInt(1) == 0) outStr += "Your login info is incorrect. Try again."; else outStr += "Welcome back," + userName + ". Please buy something this time :)";

8 SQL Injection Now consider the input: Id: 12345’ OR ‘1’=‘1 Password: abcxyz' OR '1'='1 The hacker gets in!!! Instead of Select count(*) from IdPassword where Id = ‘11111’ and Password = 'helloJava'; You issue the query Select count(*) from IdPassword where Id = ‘12345’ or ‘1’=‘1’ and Password = 'abcxyz' or '1'='1';

9 SQL Injection Another example of SQL Injection: http://www.foo.com/news.jsp?story='100' UNION SELECT number from creditcards where type='visa' This effectively makes the SQL statement: SELECT story from news where id='100' UNION SELECT number from creditcards where type='visa'

10 A Tour of the Vulnerabilities Cross-Site Scripting “Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.” [Wikipedia]computer securityvulnerabilityweb applicationsinjectclient-side scriptweb pages Cause: The application writes unvalidated output in an HTTP response Effect: An attacker is able to write data to the victim’s browser. The attacker may exploit a known browser vulnerability, or use JavaScript to run a phishing scam. More advanced attacks against a victim’s intranet are possible. Sample code: String name = request.getParameter(“name”); response.getWriter().println(name); Ref: sdtimes, 2006

11 Vulnerabilities (cont’d) Buffer Overflow Cause: An unchecked boundary condition allows an attacker to write data outside the bounds of allocated memory Effect: An attacker may be able to insert new instructions into the program and have the program execute those instructions Sample code: char buf[128]; gets(buf);

Download ppt "Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Webgoat.

Webgoat.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Understand Database Security Concepts

Understand Database Security Concepts
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Exploits: XSS, SQLI, Buffer Overflow

Exploits: XSS, SQLI, Buffer Overflow
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March

Similar presentations

Ads by Google